Solved

domain time not syncing

Posted on 2013-05-23
4
653 Views
Last Modified: 2013-05-27
i have a single domain with 3 sites.  everything is working fine except that at site 2 the time on the local domain controller will not sync with the PDC at site 1.

each site has it's own domain controller. site 1 is connected to site 2 via private line.  site 1 is connected to site 3 via VPN at our firewalls.  site 2 and 3 cannot communicate directly.

users on the domain at site 2 are pulling incorrect time from the DC at site 2.  on the DC at site 2 a w32tm /monitor recognizes a time mismatch between it and the PDC at site 1, but a resync does not fix the issue.

i went ahead and added the PDC at site 1 as a manually added peer, but resyncing still does not fix the issue...

to temporarily fix the issue i did a net time \\DC@site1 /set.  i've had to do this twice within the last 3 months.  any ideas why the DC at site 2 is not pulling time correctly?  i've checked and UDP traffic on port 123 is allowed across our private link, so its not a traffic/routing/networking issue.

many thanks in advance.
0
Comment
Question by:j_haff
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
irweazelwallis earned 500 total points
Comment Utility
you need to set up windows time settings to sort this out so that resync happens automatically

you can use WMI filtering to automatically move the Time settings around

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

then add the additional settings to control how often it syncs and where from

On the PDC add these settings to the policy (where GPS External is a dns record pointing at an external time source, this could also be pool.ntp.org or something similar)

System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer GPSEXTERNAL,0x1
Type NTP
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 900
EventLogFlags 3


 on the default DC policy
System/Windows Time Service/Time Providershide
Policy Setting Comment
Configure Windows NTP Client Enabled  
NtpServer time.windows.com,0x9
Type NT5DS
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 1
 

i use the following in both to control the correction

System/Windows Time Servicehide
Policy Setting Comment
Global Configuration Settings Enabled  
Clock Discipline Parameters
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 50000000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 172800
MaxPosPhaseCorrection 172800
PhaseCorrectRate 7
PollAdjustFactor 5
SpikeWatchPeriod 900
UpdateInterval 100
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 10
MinPollInterval 6
ChainEntryTimeout 16
ChainMaxEntries 128
ChainMaxHostEntries 4
ChainDisable 0
ChainLoggingRate 30
0
 
LVL 18

Expert Comment

by:irweazelwallis
Comment Utility
to run through the checking you can do some of the following

setup debugging on window time

http://support.microsoft.com/kb/816043

this will create log files and you can tell if its pulling the time from the right place

w32tm /query /status to see what its doing

then
w32tm /monitor /computers:dc2.domain.com,DC01.domain.com (It will show the offset by comparing with your PDC)

or with a nice easy display

w32tm /stripchart /computer:<remote computer>
0
 

Expert Comment

by:userPrincipalName
Comment Utility
It should be pointed out the Announce Flags on your PDCe should be set to 5.  All other DCs should be set to 10.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Also, how far out of time are they?

MaxAllowedPhaseOffset 300

This means they will not synch unless they are +/- 5 minutes out of synchronization.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now